System and Method for Non-Disruptive In-Memory Certificate Management

ABSTRACT

A method, computer program product, and computer system for maintaining, by a computing device, a plurality of certificates in a credential store using a distributed data source. A certificate of the plurality of certificates may be loaded in an in-memory location from the distributed data source upon startup. A change in at least one certificate of the plurality of certificates may be detected in the distributed data source. The change in the at least one certificate may be loaded from the distributed data source to the in-memory location without requiring a restart of the computing device.

BACKGROUND

Traditionally, certificate management has been file based where thecertificates reside on the file system and a configuration file pointingto the location of the certificates. When the server/process needs to besecured, the certificates are loaded into the server/process memory byreading the certificate files. Every single change to the certificatefiles (e.g., update, delete or new certificate(s)) are generally thenforcing the server to be restarted to load in the new changes.

BRIEF SUMMARY OF DISCLOSURE

In one example implementation, a method, performed by one or morecomputing devices, may include but is not limited to maintaining, by acomputing device, a plurality of certificates in a credential storeusing a distributed data source. A certificate of the plurality ofcertificates may be loaded in an in-memory location from the distributeddata source upon startup. A change in at least one certificate of theplurality of certificates may be detected in the distributed datasource. The change in the at least one certificate may be loaded fromthe distributed data source to the in-memory location without requiringa restart of the computing device.

One or more of the following example features may be included. Thechange in the at least one certificate may be persisted atomically inthe distributed data source prior to being loaded to the in-memorylocation. Detecting the change in the at least one certificate of theplurality of certificates in the distributed data source may includereceiving an intra-process communication to load the change in the atleast one certificate from the distributed data source to the in-memorylocation. The distributed data source may include one of a data storefor a single computing device, a distributed data store spanning aclustered system, and include a file system spanning the clusteredsystem. The change in the at least one certificate may be loaded to atrust store of a web client. The plurality of certificates may beassociated with a plurality of micro-services, wherein eachmicro-service may maintain a separate in-memory certificate store thatis managed independently from other micro-services. The plurality ofcertificates may be associated with a plurality of ports, wherein eachport may maintain a separate in-memory certificate store that is managedindependently from other ports.

In another example implementation, a computing system may include one ormore processors and one or more memories configured to performoperations that may include but are not limited to maintaining, by acomputing device, a plurality of certificates in a credential storeusing a distributed data source. A certificate of the plurality ofcertificates may be loaded in an in-memory location from the distributeddata source upon startup. A change in at least one certificate of theplurality of certificates may be detected in the distributed datasource. The change in the at least one certificate may be loaded fromthe distributed data source to the in-memory location without requiringa restart of the computing device.

One or more of the following example features may be included. Thechange in the at least one certificate may be persisted atomically inthe distributed data source prior to being loaded to the in-memorylocation. Detecting the change in the at least one certificate of theplurality of certificates in the distributed data source may includereceiving an intra-process communication to load the change in the atleast one certificate from the distributed data source to the in-memorylocation. The distributed data source may include one of a data storefor a single computing device, a distributed data store spanning aclustered system, and include a file system spanning the clusteredsystem. The change in the at least one certificate may be loaded to atrust store of a web client. The plurality of certificates may beassociated with a plurality of micro-services, wherein eachmicro-service may maintain a separate in-memory certificate store thatis managed independently from other micro-services. The plurality ofcertificates may be associated with a plurality of ports, wherein eachport may maintain a separate in-memory certificate store that is managedindependently from other ports.

In another example implementation, a computer program product may resideon a computer readable storage medium having a plurality of instructionsstored thereon which, when executed across one or more processors, maycause at least a portion of the one or more processors to performoperations that may include but are not limited to maintaining, by acomputing device, a plurality of certificates in a credential storeusing a distributed data source. A certificate of the plurality ofcertificates may be loaded in an in-memory location from the distributeddata source upon startup. A change in at least one certificate of theplurality of certificates may be detected in the distributed datasource. The change in the at least one certificate may be loaded fromthe distributed data source to the in-memory location without requiringa restart of the computing device.

One or more of the following example features may be included. Thechange in the at least one certificate may be persisted atomically inthe distributed data source prior to being loaded to the in-memorylocation. Detecting the change in the at least one certificate of theplurality of certificates in the distributed data source may includereceiving an intra-process communication to load the change in the atleast one certificate from the distributed data source to the in-memorylocation. The distributed data source may include one of a data storefor a single computing device, a distributed data store spanning aclustered system, and include a file system spanning the clusteredsystem. The change in the at least one certificate may be loaded to atrust store of a web client. The plurality of certificates may beassociated with a plurality of micro-services, wherein eachmicro-service may maintain a separate in-memory certificate store thatis managed independently from other micro-services. The plurality ofcertificates may be associated with a plurality of ports, wherein eachport may maintain a separate in-memory certificate store that is managedindependently from other ports.

The details of one or more example implementations are set forth in theaccompanying drawings and the description below. Other possible examplefeatures and/or possible example advantages will become apparent fromthe description, the drawings, and the claims. Some implementations maynot have those possible example features and/or possible exampleadvantages, and such possible example features and/or possible exampleadvantages may not necessarily be required of some implementations.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an example diagrammatic view of a certificate managementprocess coupled to an example distributed computing network according toone or more example implementations of the disclosure;

FIG. 2 is an example diagrammatic view of a storage system of FIG. 1according to one or more example implementations of the disclosure;

FIG. 3 is an example diagrammatic view of a storage target of FIG. 1according to one or more example implementations of the disclosure;

FIG. 4 is an example diagrammatic view of a traditional webserverenvironment;

FIG. 5 is an example flowchart of a certificate management processaccording to one or more example implementations of the disclosure;

FIG. 6 is an example diagrammatic view of a webserver environmentaccording to one or more example implementations of the disclosure;

FIG. 7 is an example diagrammatic view of a webserver environmentaccording to one or more example implementations of the disclosure;

FIG. 8 is an example diagrammatic view of a certificate managementprocess in a webserver environment according to one or more exampleimplementations of the disclosure; and

FIG. 9 is an example diagrammatic view of a webserver/web clientenvironment according to one or more example implementations of thedisclosure.

Like reference symbols in the various drawings indicate like elements.

DETAILED DESCRIPTION System Overview:

In some implementations, the present disclosure may be embodied as amethod, system, or computer program product. Accordingly, in someimplementations, the present disclosure may take the form of an entirelyhardware implementation, an entirely software implementation (includingfirmware, resident software, micro-code, etc.) or an implementationcombining software and hardware aspects that may all generally bereferred to herein as a “circuit,” “module” or “system.” Furthermore, insome implementations, the present disclosure may take the form of acomputer program product on a computer-usable storage medium havingcomputer-usable program code embodied in the medium.

In some implementations, any suitable computer usable or computerreadable medium (or media) may be utilized. The computer readable mediummay be a computer readable signal medium or a computer readable storagemedium. The computer-usable, or computer-readable, storage medium(including a storage device associated with a computing device or clientelectronic device) may be, for example, but is not limited to, anelectronic, magnetic, optical, electromagnetic, infrared, orsemiconductor system, apparatus, device, or any suitable combination ofthe foregoing. More specific examples (a non-exhaustive list) of thecomputer-readable medium may include the following: an electricalconnection having one or more wires, a portable computer diskette, ahard disk, a random access memory (RAM), a read-only memory (ROM), anerasable programmable read-only memory (EPROM or Flash memory), anoptical fiber, a portable compact disc read-only memory (CD-ROM), anoptical storage device, a digital versatile disk (DVD), a static randomaccess memory (SRAM), a memory stick, a floppy disk, a mechanicallyencoded device such as punch-cards or raised structures in a groovehaving instructions recorded thereon, a media such as those supportingthe internet or an intranet, or a magnetic storage device. Note that thecomputer-usable or computer-readable medium could even be a suitablemedium upon which the program is stored, scanned, compiled, interpreted,or otherwise processed in a suitable manner, if necessary, and thenstored in a computer memory. In the context of the present disclosure, acomputer-usable or computer-readable, storage medium may be any tangiblemedium that can contain or store a program for use by or in connectionwith the instruction execution system, apparatus, or device.

In some implementations, a computer readable signal medium may include apropagated data signal with computer readable program code embodiedtherein, for example, in baseband or as part of a carrier wave. In someimplementations, such a propagated signal may take any of a variety offorms, including, but not limited to, electro-magnetic, optical, or anysuitable combination thereof. In some implementations, the computerreadable program code may be transmitted using any appropriate medium,including but not limited to the internet, wireline, optical fibercable, RF, etc. In some implementations, a computer readable signalmedium may be any computer readable medium that is not a computerreadable storage medium and that can communicate, propagate, ortransport a program for use by or in connection with an instructionexecution system, apparatus, or device.

In some implementations, computer program code for carrying outoperations of the present disclosure may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Java®, Smalltalk, C++ or the like.Java® and all Java-based trademarks and logos are trademarks orregistered trademarks of Oracle and/or its affiliates. However, thecomputer program code for carrying out operations of the presentdisclosure may also be written in conventional procedural programminglanguages, such as the “C” programming language, PASCAL, or similarprogramming languages, as well as in scripting languages such asJavascript, PERL, or Python. The program code may execute entirely onthe user's computer, partly on the user's computer, as a stand-alonesoftware package, partly on the user's computer and partly on a remotecomputer or entirely on the remote computer or server. In the latterscenario, the remote computer may be connected to the user's computerthrough a local area network (LAN) or a wide area network (WAN), or theconnection may be made to an external computer (for example, through theinternet using an Internet Service Provider). In some implementations,electronic circuitry including, for example, programmable logiccircuitry, field-programmable gate arrays (FPGAs) or other hardwareaccelerators, micro-controller units (MCUs), or programmable logicarrays (PLAs) may execute the computer readable programinstructions/code by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present disclosure.

In some implementations, the flowchart and block diagrams in the figuresillustrate the architecture, functionality, and operation of possibleimplementations of apparatus (systems), methods and computer programproducts according to various implementations of the present disclosure.Each block in the flowchart and/or block diagrams, and combinations ofblocks in the flowchart and/or block diagrams, may represent a module,segment, or portion of code, which comprises one or more executablecomputer program instructions for implementing the specified logicalfunction(s)/act(s). These computer program instructions may be providedto a processor of a general purpose computer, special purpose computer,or other programmable data processing apparatus to produce a machine,such that the computer program instructions, which may execute via theprocessor of the computer or other programmable data processingapparatus, create the ability to implement one or more of thefunctions/acts specified in the flowchart and/or block diagram block orblocks or combinations thereof. It should be noted that, in someimplementations, the functions noted in the block(s) may occur out ofthe order noted in the figures (or combined or omitted). For example,two blocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved.

In some implementations, these computer program instructions may also bestored in a computer-readable memory that can direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablememory produce an article of manufacture including instruction meanswhich implement the function/act specified in the flowchart and/or blockdiagram block or blocks or combinations thereof.

In some implementations, the computer program instructions may also beloaded onto a computer or other programmable data processing apparatusto cause a series of operational steps to be performed (not necessarilyin a particular order) on the computer or other programmable apparatusto produce a computer implemented process such that the instructionswhich execute on the computer or other programmable apparatus providesteps for implementing the functions/acts (not necessarily in aparticular order) specified in the flowchart and/or block diagram blockor blocks or combinations thereof.

Referring now to the example implementation of FIG. 1, there is showncertificate management process 10 that may reside on and may be executedby a computer (e.g., computer 12), which may be connected to a network(e.g., network 14) (e.g., the internet or a local area network).Examples of computer 12 (and/or one or more of the client electronicdevices noted below) may include, but are not limited to, a storagesystem (e.g., a Network Attached Storage (NAS) system, a Storage AreaNetwork (SAN)), a personal computer(s), a laptop computer(s), mobilecomputing device(s), a server computer, a series of server computers, amainframe computer(s), or a computing cloud(s). As is known in the art,a SAN may include one or more of the client electronic devices,including a RAID device and a NAS system. In some implementations, eachof the aforementioned may be generally described as a computing device.In certain implementations, a computing device may be a physical orvirtual device. In many implementations, a computing device may be anydevice capable of performing operations, such as a dedicated processor,a portion of a processor, a virtual processor, a portion of a virtualprocessor, portion of a virtual device, or a virtual device. In someimplementations, a processor may be a physical processor or a virtualprocessor. In some implementations, a virtual processor may correspondto one or more parts of one or more physical processors. In someimplementations, the instructions/logic may be distributed and executedacross one or more processors, virtual or physical, to execute theinstructions/logic. Computer 12 may execute an operating system, forexample, but not limited to, Microsoft® Windows®; Mac® OS X®; Red Hat®Linux®, Windows® Mobile, Chrome OS, Blackberry OS, Fire OS, or a customoperating system. (Microsoft and Windows are registered trademarks ofMicrosoft Corporation in the United States, other countries or both; Macand OS X are registered trademarks of Apple Inc. in the United States,other countries or both; Red Hat is a registered trademark of Red HatCorporation in the United States, other countries or both; and Linux isa registered trademark of Linus Torvalds in the United States, othercountries or both).

In some implementations, as will be discussed below in greater detail, acertificate management process, such as certificate management process10 of FIG. 1, may maintain, by a computing device, a plurality ofcertificates in a credential store using a distributed data source. Acertificate of the plurality of certificates may be loaded in anin-memory location from the distributed data source upon startup. Achange in at least one certificate of the plurality of certificates maybe detected in the distributed data source. The change in the at leastone certificate may be loaded from the distributed data source to thein-memory location without requiring a restart of the computing device.

In some implementations, the instruction sets and subroutines ofcertificate management process 10, which may be stored on storagedevice, such as storage device 16, coupled to computer 12, may beexecuted by one or more processors and one or more memory architecturesincluded within computer 12. In some implementations, storage device 16may include but is not limited to: a hard disk drive; all forms of flashmemory storage devices; a tape drive; an optical drive; a RAID array (orother array); a random access memory (RAM); a read-only memory (ROM); orcombination thereof. In some implementations, storage device 16 may beorganized as an extent, an extent pool, a RAID extent (e.g., an example4D+1P R5, where the RAID extent may include, e.g., five storage deviceextents that may be allocated from, e.g., five different storagedevices), a mapped RAID (e.g., a collection of RAID extents), orcombination thereof.

In some implementations, network 14 may be connected to one or moresecondary networks (e.g., network 18), examples of which may include butare not limited to: a local area network; a wide area network or othertelecommunications network facility; or an intranet, for example. Thephrase “telecommunications network facility,” as used herein, may referto a facility configured to transmit, and/or receive transmissionsto/from one or more mobile client electronic devices (e.g., cellphones,etc.) as well as many others.

In some implementations, computer 12 may include a data store, such as adatabase (e.g., relational database, object-oriented database,triplestore database, etc.) and may be located within any suitablememory location, such as storage device 16 coupled to computer 12. Insome implementations, data, metadata, information, etc. describedthroughout the present disclosure may be stored in the data store. Insome implementations, computer 12 may utilize any known databasemanagement system such as, but not limited to, DB2, in order to providemulti-user access to one or more databases, such as the above notedrelational database. In some implementations, the data store may also bea custom database, such as, for example, a flat file database or an XMLdatabase. In some implementations, any other form(s) of a data storagestructure and/or organization may also be used. In some implementations,certificate management process 10 may be a component of the data store,a standalone application that interfaces with the above noted data storeand/or an applet/application that is accessed via client applications22, 24, 26, 28. In some implementations, the above noted data store maybe, in whole or in part, distributed in a cloud computing topology. Inthis way, computer 12 and storage device 16 may refer to multipledevices, which may also be distributed throughout the network.

In some implementations, computer 12 may execute a storage managementapplication (e.g., storage management application 21), examples of whichmay include, but are not limited to, e.g., a storage system application,a cloud computing application, a data synchronization application, adata migration application, a garbage collection application, or otherapplication that allows for the implementation and/or management of datain a clustered (or non-clustered) environment (or the like). In someimplementations, certificate management process 10 and/or storagemanagement application 21 may be accessed via one or more of clientapplications 22, 24, 26, 28. In some implementations, certificatemanagement process 10 may be a standalone application, or may be anapplet/application/script/extension that may interact with and/or beexecuted within storage management application 21, a component ofstorage management application 21, and/or one or more of clientapplications 22, 24, 26, 28. In some implementations, storage managementapplication 21 may be a standalone application, or may be anapplet/application/script/extension that may interact with and/or beexecuted within certificate management process 10, a component ofcertificate management process 10, and/or one or more of clientapplications 22, 24, 26, 28. In some implementations, one or more ofclient applications 22, 24, 26, 28 may be a standalone application, ormay be an applet/application/script/extension that may interact withand/or be executed within and/or be a component of certificatemanagement process 10 and/or storage management application 21. Examplesof client applications 22, 24, 26, 28 may include, but are not limitedto, e.g., a storage system application, a cloud computing application, adata synchronization application, a data migration application, agarbage collection application, or other application that allows for theimplementation and/or management of data in a clustered (ornon-clustered) environment (or the like), a standard and/or mobile webbrowser, an email application (e.g., an email client application), atextual and/or a graphical user interface, a customized web browser, aplugin, an Application Programming Interface (API), or a customapplication. The instruction sets and subroutines of client applications22, 24, 26, 28, which may be stored on storage devices 30, 32, 34, 36,coupled to client electronic devices 38, 40, 42, 44, may be executed byone or more processors and one or more memory architectures incorporatedinto client electronic devices 38, 40, 42, 44.

In some implementations, one or more of storage devices 30, 32, 34, 36,may include but are not limited to: hard disk drives; flash drives, tapedrives; optical drives; RAID arrays; random access memories (RAM); andread-only memories (ROM). Examples of client electronic devices 38, 40,42, 44 (and/or computer 12) may include, but are not limited to, apersonal computer (e.g., client electronic device 38), a laptop computer(e.g., client electronic device 40), a smart/data-enabled, cellularphone (e.g., client electronic device 42), a notebook computer (e.g.,client electronic device 44), a tablet, a server, a television, a smarttelevision, a smart speaker, an Internet of Things (IoT) device, a media(e.g., video, photo, etc.) capturing device, and a dedicated networkdevice. Client electronic devices 38, 40, 42, 44 may each execute anoperating system, examples of which may include but are not limited to,Android™, Apple® iOS®, Mac® OS X®; Red Hat® Linux®, Windows® Mobile,Chrome OS, Blackberry OS, Fire OS, or a custom operating system.

In some implementations, one or more of client applications 22, 24, 26,28 may be configured to effectuate some or all of the functionality ofcertificate management process 10 (and vice versa). Accordingly, in someimplementations, certificate management process 10 may be a purelyserver-side application, a purely client-side application, or a hybridserver-side/client-side application that is cooperatively executed byone or more of client applications 22, 24, 26, 28 and/or certificatemanagement process 10.

In some implementations, one or more of client applications 22, 24, 26,28 may be configured to effectuate some or all of the functionality ofstorage management application 21 (and vice versa). Accordingly, in someimplementations, storage management application 21 may be a purelyserver-side application, a purely client-side application, or a hybridserver-side/client-side application that is cooperatively executed byone or more of client applications 22, 24, 26, 28 and/or storagemanagement application 21. As one or more of client applications 22, 24,26, 28, certificate management process 10, and storage managementapplication 21, taken singly or in any combination, may effectuate someor all of the same functionality, any description of effectuating suchfunctionality via one or more of client applications 22, 24, 26, 28,certificate management process 10, storage management application 21, orcombination thereof, and any described interaction(s) between one ormore of client applications 22, 24, 26, 28, certificate managementprocess 10, storage management application 21, or combination thereof toeffectuate such functionality, should be taken as an example only andnot to limit the scope of the disclosure.

In some implementations, one or more of users 46, 48, 50, 52 may accesscomputer 12 and certificate management process 10 (e.g., using one ormore of client electronic devices 38, 40, 42, 44) directly throughnetwork 14 or through secondary network 18. Further, computer 12 may beconnected to network 14 through secondary network 18, as illustratedwith phantom link line 54. Certificate management process 10 may includeone or more user interfaces, such as browsers and textual or graphicaluser interfaces, through which users 46, 48, 50, 52 may accesscertificate management process 10.

In some implementations, the various client electronic devices may bedirectly or indirectly coupled to network 14 (or network 18). Forexample, client electronic device 38 is shown directly coupled tonetwork 14 via a hardwired network connection. Further, clientelectronic device 44 is shown directly coupled to network 18 via ahardwired network connection. Client electronic device 40 is shownwirelessly coupled to network 14 via wireless communication channel 56established between client electronic device 40 and wireless accesspoint (i.e., WAP) 58, which is shown directly coupled to network 14. WAP58 may be, for example, an IEEE 802.11a, 802.11b, 802.11g, 802.11n,802.11ac, Wi-Fi®, RFID, and/or Bluetooth™ (including Bluetooth™ LowEnergy) device that is capable of establishing wireless communicationchannel 56 between client electronic device 40 and WAP 58. Clientelectronic device 42 is shown wirelessly coupled to network 14 viawireless communication channel 60 established between client electronicdevice 42 and cellular network/bridge 62, which is shown by exampledirectly coupled to network 14.

In some implementations, some or all of the IEEE 802.11x specificationsmay use Ethernet protocol and carrier sense multiple access withcollision avoidance (i.e., CSMA/CA) for path sharing. The various802.11x specifications may use phase-shift keying (i.e., PSK) modulationor complementary code keying (i.e., CCK) modulation, for example.Bluetooth™ (including Bluetooth™ Low Energy) is a telecommunicationsindustry specification that allows, e.g., mobile phones, computers,smart phones, and other electronic devices to be interconnected using ashort-range wireless connection. Other forms of interconnection (e.g.,Near Field Communication (NFC)) may also be used.

In some implementations, various I/O requests (e.g., I/O request 15) maybe sent from, e.g., client applications 22, 24, 26, 28 to, e.g.,computer 12. Examples of I/O request 15 may include but are not limitedto, data write requests (e.g., a request that content be written tocomputer 12) and data read requests (e.g., a request that content beread from computer 12).

Data Storage System:

Referring also to the example implementation of FIGS. 2-3 (e.g., wherecomputer 12 may be configured as a data storage system), computer 12 mayinclude storage processor 100 and a plurality of storage targets (e.g.,storage targets 102, 104, 106, 108, 110). In some implementations,storage targets 102, 104, 106, 108, 110 may include any of theabove-noted storage devices. In some implementations, storage targets102, 104, 106, 108, 110 may be configured to provide various levels ofperformance and/or high availability. For example, storage targets 102,104, 106, 108, 110 may be configured to form a non-fully-duplicativefault-tolerant data storage system (such as a non-fully-duplicative RAIDdata storage system), examples of which may include but are not limitedto: RAID 3 arrays, RAID 4 arrays, RAID 5 arrays, and/or RAID 6 arrays.It will be appreciated that various other types of RAID arrays may beused without departing from the scope of the present disclosure.

While in this particular example, computer 12 is shown to include fivestorage targets (e.g., storage targets 102, 104, 106, 108, 110), this isfor example purposes only and is not intended limit the presentdisclosure. For instance, the actual number of storage targets may beincreased or decreased depending upon, e.g., the level ofredundancy/performance/capacity required.

Further, the storage targets (e.g., storage targets 102, 104, 106, 108,110) included with computer 12 may be configured to form a plurality ofdiscrete storage arrays. For instance, and assuming for example purposesonly that computer 12 includes, e.g., ten discrete storage targets, afirst five targets (of the ten storage targets) may be configured toform a first RAID array and a second five targets (of the ten storagetargets) may be configured to form a second RAID array.

In some implementations, one or more of storage targets 102, 104, 106,108, 110 may be configured to store coded data (e.g., via storagemanagement process 21), wherein such coded data may allow for theregeneration of data lost/corrupted on one or more of storage targets102, 104, 106, 108, 110. Examples of such coded data may include but isnot limited to parity data and Reed-Solomon data. Such coded data may bedistributed across all of storage targets 102, 104, 106, 108, 110 or maybe stored within a specific storage target.

Examples of storage targets 102, 104, 106, 108, 110 may include one ormore data arrays, wherein a combination of storage targets 102, 104,106, 108, 110 (and any processing/control systems associated withstorage management application 21) may form data array 112.

The manner in which computer 12 is implemented may vary depending upone.g., the level of redundancy/performance/capacity required. Forexample, computer 12 may be configured as a SAN (i.e., a Storage AreaNetwork), in which storage processor 100 may be, e.g., a dedicatedcomputing system and each of storage targets 102, 104, 106, 108, 110 maybe a RAID device. An example of storage processor 100 may include but isnot limited to a VPLEX™, VNX™ or Unity™ system offered by Dell EMC™ ofHopkinton, Mass.

In the example where computer 12 is configured as a SAN, the variouscomponents of computer 12 (e.g., storage processor 100, and storagetargets 102, 104, 106, 108, 110) may be coupled using networkinfrastructure 114, examples of which may include but are not limited toan Ethernet (e.g., Layer 2 or Layer 3) network, a fiber channel network,an InfiniBand network, or any other circuit switched/packet switchednetwork.

As discussed above, various I/O requests (e.g., I/O request 15) may begenerated. For example, these I/O requests may be sent from, e.g.,client applications 22, 24, 26, 28 to, e.g., computer 12.Additionally/alternatively (e.g., when storage processor 100 isconfigured as an application server or otherwise), these I/O requestsmay be internally generated within storage processor 100 (e.g., viastorage management process 21). Examples of I/O request 15 may includebut are not limited to data write request 116 (e.g., a request thatcontent 118 be written to computer 12) and data read request 120 (e.g.,a request that content 118 be read from computer 12).

In some implementations, during operation of storage processor 100,content 118 to be written to computer 12 may be received and/orprocessed by storage processor 100 (e.g., via storage management process21). Additionally/alternatively (e.g., when storage processor 100 isconfigured as an application server or otherwise), content 118 to bewritten to computer 12 may be internally generated by storage processor100 (e.g., via storage management process 21).

As discussed above, the instruction sets and subroutines of storagemanagement application 21, which may be stored on storage device 16included within computer 12, may be executed by one or more processorsand one or more memory architectures included with computer 12.Accordingly, in addition to being executed on storage processor 100,some or all of the instruction sets and subroutines of storagemanagement application 21 (and/or certificate management process 10) maybe executed by one or more processors and one or more memoryarchitectures included with data array 112.

In some implementations, storage processor 100 may include front endcache memory system 122. Examples of front end cache memory system 122may include but are not limited to a volatile, solid-state, cache memorysystem (e.g., a dynamic RAM cache memory system), a non-volatile,solid-state, cache memory system (e.g., a flash-based, cache memorysystem), and/or any of the above-noted storage devices.

In some implementations, storage processor 100 may initially storecontent 118 within front end cache memory system 122. Depending upon themanner in which front end cache memory system 122 is configured, storageprocessor 100 (e.g., via storage management process 21) may immediatelywrite content 118 to data array 112 (e.g., if front end cache memorysystem 122 is configured as a write-through cache) or may subsequentlywrite content 118 to data array 112 (e.g., if front end cache memorysystem 122 is configured as a write-back cache).

In some implementations, one or more of storage targets 102, 104, 106,108, 110 may include a backend cache memory system. Examples of thebackend cache memory system may include but are not limited to avolatile, solid-state, cache memory system (e.g., a dynamic RAM cachememory system), a non-volatile, solid-state, cache memory system (e.g.,a flash-based, cache memory system), and/or any of the above-notedstorage devices.

Storage Targets:

As discussed above, one or more of storage targets 102, 104, 106, 108,110 may be a RAID device. For instance, and referring also to FIG. 3,there is shown example target 150, wherein target 150 may be one exampleimplementation of a RAID implementation of, e.g., storage target 102,storage target 104, storage target 106, storage target 108, and/orstorage target 110. An example of target 150 may include but is notlimited to a VPLEX™, VNX™, or Unity™ system offered by Dell EMC™ ofHopkinton, Mass. Examples of storage devices 154, 156, 158, 160, 162 mayinclude one or more electro-mechanical hard disk drives, one or moresolid-state/flash devices, and/or any of the above-noted storagedevices. It will be appreciated that while the term “disk” or “drive”may be used throughout, these may refer to and be used interchangeablywith any types of appropriate storage devices as the context andfunctionality of the storage device permits.

In some implementations, target 150 may include storage processor 152and a plurality of storage devices (e.g., storage devices 154, 156, 158,160, 162). Storage devices 154, 156, 158, 160, 162 may be configured toprovide various levels of performance and/or high availability (e.g.,via storage management process 21). For example, one or more of storagedevices 154, 156, 158, 160, 162 (or any of the above-noted storagedevices) may be configured as a RAID 0 array, in which data is stripedacross storage devices. By striping data across a plurality of storagedevices, improved performance may be realized. However, RAID 0 arraysmay not provide a level of high availability. Accordingly, one or moreof storage devices 154, 156, 158, 160, 162 (or any of the above-notedstorage devices) may be configured as a RAID 1 array, in which data ismirrored between storage devices. By mirroring data between storagedevices, a level of high availability may be achieved as multiple copiesof the data may be stored within storage devices 154, 156, 158, 160,162.

While storage devices 154, 156, 158, 160, 162 are discussed above asbeing configured in a RAID 0 or RAID 1 array, this is for examplepurposes only and not intended to limit the present disclosure, as otherconfigurations are possible. For example, storage devices 154, 156, 158,160, 162 may be configured as a RAID 3, RAID 4, RAID 5 or RAID 6 array.

While in this particular example, target 150 is shown to include fivestorage devices (e.g., storage devices 154, 156, 158, 160, 162), this isfor example purposes only and not intended to limit the presentdisclosure. For instance, the actual number of storage devices may beincreased or decreased depending upon, e.g., the level ofredundancy/performance/capacity required.

In some implementations, one or more of storage devices 154, 156, 158,160, 162 may be configured to store (e.g., via storage managementprocess 21) coded data, wherein such coded data may allow for theregeneration of data lost/corrupted on one or more of storage devices154, 156, 158, 160, 162. Examples of such coded data may include but arenot limited to parity data and Reed-Solomon data. Such coded data may bedistributed across all of storage devices 154, 156, 158, 160, 162 or maybe stored within a specific storage device.

The manner in which target 150 is implemented may vary depending upone.g., the level of redundancy/performance/capacity required. Forexample, target 150 may be a RAID device in which storage processor 152is a RAID controller card and storage devices 154, 156, 158, 160, 162are individual “hot-swappable” hard disk drives. Another example oftarget 150 may be a RAID system, examples of which may include but arenot limited to an NAS (i.e., Network Attached Storage) device or a SAN(i.e., Storage Area Network).

In some implementations, storage target 150 may execute all or a portionof storage management application 21. The instruction sets andsubroutines of storage management application 21, which may be stored ona storage device (e.g., storage device 164) coupled to storage processor152, may be executed by one or more processors and one or more memoryarchitectures included with storage processor 152. Storage device 164may include but is not limited to any of the above-noted storagedevices.

As discussed above, computer 12 may be configured as a SAN, whereinstorage processor 100 may be a dedicated computing system and each ofstorage targets 102, 104, 106, 108, 110 may be a RAID device.Accordingly, when storage processor 100 processes data requests 116,120, storage processor 100 (e.g., via storage management process 21) mayprovide the appropriate requests/content (e.g., write request 166,content 168 and read request 170) to, e.g., storage target 150 (which isrepresentative of storage targets 102, 104, 106, 108 and/or 110).

In some implementations, during operation of storage processor 152,content 168 to be written to target 150 may be processed by storageprocessor 152 (e.g., via storage management process 21). Storageprocessor 152 may include cache memory system 172. Examples of cachememory system 172 may include but are not limited to a volatile,solid-state, cache memory system (e.g., a dynamic RAM cache memorysystem) and/or a non-volatile, solid-state, cache memory system (e.g., aflash-based, cache memory system). During operation of storage processor152, content 168 to be written to target 150 may be received by storageprocessor 152 (e.g., via storage management process 21) and initiallystored (e.g., via storage management process 21) within front end cachememory system 172.

Traditionally, certificate (e.g., SSL certification) management has beenfile based where the certificates reside on the file system and aconfiguration file pointing to the location of the certificates. Anexample of how traditional certificate loading occurs in traditionalwebservers is shown in the example webserver environment 400 of FIG. 4.When the server/process needs to be secured, the certificates are loadedinto the server/process memory by reading the certificate files. Everysingle change to the certificate files (e.g., update, delete or newcertificate(s)) are generally then forcing the server to be restarted toload in the new changes, which is inefficient and slow. Moreover, everyrestart could disrupt the web client functionality. There may be a lotof overhead to make sure that the system cleans up properly duringshutdown, and also a lot of overhead associated with the startup of thesystem. Reload of certificates at the individual port level may not bepossible. For instance, the following use cases may cause a disruptionin service in the traditional approach (e.g., certificate renewal,certificate information update, revocation of certificates.

As such, as will be discussed below, the present disclosure may enablecertificate management that is scalable, flexible and maintainablewithout causing a disruption in the service, where the certificates maybe managed inside the memory with a data source (e.g., such as adatabase for a single machine or a distributed database or a filesystem) that may span a clustered system. In this example approach, thecertificates may be loaded into the memory the first time theserver/process starts up and all the maintenance of certificates (e.g.,addition, deletion, update) may occur in-memory without ever having torestart the process. This approach may be especially useful in a singlemachine/clustered/federated/micro-services environment(s), as well as inthe client environment which may need certificate management.

The Certificate Management Process:

As discussed above and referring also at least to the exampleimplementations of FIGS. 5-9, certificate management (CM) process 10 maymaintain 500, by a computing device, a plurality of certificates in acredential store using a distributed data source. CM process 10 may load502 a certificate of the plurality of certificates in an in-memorylocation from the distributed data source upon startup. CM process 10may detect 504 a change in at least one certificate of the plurality ofcertificates in the distributed data source. CM process 10 may load 506the change in the at least one certificate from the distributed datasource to the in-memory location without requiring a restart of thecomputing device.

In some implementations, CM process 10 may maintain 500, by a computingdevice, a plurality of certificates in a credential store using adistributed data source. For example, the certificates may be completelymanaged and maintained 500 inside the memory for the key store and truststore. All the private keys may be managed and maintained 500 in theirown in-memory key store, and the authority certificates may be managedand maintained 500 in their own in-memory trust store. In someimplementations, for this to happen, one of a data store for a singlecomputing device, a distributed data store spanning a clustered system,and a file system spanning the clustered system may be used as thedistributed data source that acts as a credential store.

In some implementations, CM process 10 may load 502 a certificate of theplurality of certificates in an in-memory location from the distributeddata source upon startup. For instance, and referring at least to theexample implementation of FIG. 6, an example webserver environment 600is shown where the certificates are loaded into memory on systemstartup. In the example, upon webserver/process startup, CM process 10may load 502 the appropriate certificates from the distributed datasource (e.g., credential store) into the in-memory location of thewebserver (e.g., node A, node B, node Z, etc.).

In some implementations, CM process 10 may detect 504 a change in atleast one certificate of the plurality of certificates in thedistributed data source. For instance, assume for example purposes onlythat a change in one of the certificates (e.g., adding, deleting,updating, etc.) occurs in the distributed data source (e.g., thecredential store). In the example, CM process 10 may detect 504 thischange. For example, an event driven technology may be used (e.g., atrust/key store register event listener for the certification changes).Whenever a new certificate is added or existing certificate isdeleted/updated to the credential store, an event may be sent to apre-registered event listener that may reload the certificates when itreceives the signal.

In some implementations, detecting the change in the at least onecertificate of the plurality of certificates in the distributed datasource may include receiving 508 an intra-process communication to loadthe change in the at least one certificate from the distributed datasource to the in-memory location. For example, a reliable intra-processcommunication (e.g., event buses/queues) may inform each process toupdate its memory whenever a change in certificate(s) happens. Forinstance, two threads in a process may communicate with each other (inthis example via an “event bus.”) One thread may write an event to thisevent bus and the other thread may wait on the listener to pick up thesignal and reload the certificates into memory.

In some implementations, the change in the at least one certificate maybe persisted atomically in the distributed data source prior to beingloaded to the in-memory location. For example, all the changes that arereflected in-memory for certificates may need to be persisted atomicallyin the distributed/non-distributed data source before they are reflectedin the memory. This will help maintain consistency should any failure orcorruption occur during the updating of the certificates in-memory.

In some implementations, CM process 10 may load 506 the change in the atleast one certificate from the distributed data source to the in-memorylocation without requiring a restart of the computing device. Forinstance, and referring at least to the example implementation of FIG.7, an example webserver environment 700 is shown where an in-memorycertificate management reloads the certificates without ever having torestart the webserver. FIG. 7 is a higher level view of FIG. 8, whereeach of the boxes in FIG. 7 represent a certificate operation, and whathappens with that certificate operation is described in depth in FIG. 8.For example, and referring at least to the example implementation ofFIG. 8, an example webserver environment 800 is shown with example steps(discussed above) that may occur when a certificate getsadded/deleted/updated without having to restart the webserver. As shownin FIG. 8, when the certificates are added, deleted, or updated, thecertificates may be updated in the credential store of the (master)webserver. The credential store of the master webserver may then besynchronized with the credential store of a (non-master) webserver. Atthis point, as discussed above, a reliable intra-process communication(e.g., event buses/queues) may inform each process to update its memorywhenever a change in certificate(s) happens to thereafter reload thecertificates in-memory (e.g., of the master webserver and the non-masterwebserver).

In some implementations, the plurality of certificates may be associatedwith a plurality of micro-services, wherein each micro-service maymaintain a separate in-memory certificate store that is managedindependently from other micro-services. For example, in a micro-servicebased environment, with the present disclosure, security may be addedseparately for each micro-service, customized to its needs. Forinstance, each micro-service may individually maintain its own in-memorycertificate management that is completely separate from othermicro-services. Generally, micro-services may be described as a softwaredevelopment technique or a variant of the service-oriented architecture(SOA) style that structures an application as a collection of looselycoupled services. In a micro-services architecture, services arefine-grained and the protocols are lightweight. The benefit ofdecomposing an application into different smaller services may be thatit may improve modularity. This may make the application easier tounderstand, develop, test, and become more resilient to architectureerosion. It may parallelize development by enabling small autonomousteams to develop, deploy and scale their respective servicesindependently. It may also allow the architecture of an individualservice to emerge through continuous refactoring. Micro-service basedarchitectures may facilitate continuous delivery and deployment. In thepresent disclosure, each micro-service may be configured to maintainsits own set of certificates in its own credential store. In someimplementations, there may be multiple ports within a micro-servicemaintaining their own certificates with in their own credential store.For example, there may be a security micro-service that maintainscertificates for HTTP and replication service in its credential store onport X. Similarly, there may be a VASA micro-service maintaining its owncertificates in its credential store on port Y.

In some implementations, the plurality of certificates may be associatedwith a plurality of ports, wherein each port may maintain a separatein-memory certificate store that is managed independently from otherports. For example, CM process 10 may maintain a separate in-memorycertificate store for each port, which may be refreshed/maintainedindependently without impacting other ports of the webserver, therebygiving flexibility, scalability and finer granularity. In someimplementations, a common infrastructure may be used for certificatemanagement on different ports. However, each port may be interested in adifferent certificate service. In some implementations, port X (forexample) may be for the system's general webserver service and port Y(for example) may be for providing the VASA provider service.

In some implementations, the change in the at least one certificate maybe loaded to a trust store of a web client. For instance, and referringat least to the example implementation of FIG. 9, an examplewebserver/web client environment 900 is shown. In the example,environment 900 shows components that communicate with multiple remotesystems through secured channels. In order to make the communicationsecure, the remote systems certificates (e.g., CA certificates) may needto be uploaded to the web client's trust store. With the auto reload inplace (similarly as described above), the web client does not have to bereinitialized upon a change in the credentials, and therefore, theexisting connections will not be interrupted. This implementation may besimilar to what the webserver does, as the certificates are still loadedinto the memory of the web client. The client may load the certificatesto the in-memory credential store based on the functionality (e.g.,service/type) of the certificate. For example, does this client sendHTTP requests to webserver, or HTTP requests to a VASA service, etc.

The terminology used herein is for the purpose of describing particularimplementations only and is not intended to be limiting of thedisclosure. As used herein, the singular forms “a”, “an” and “the” areintended to include the plural forms as well, unless the context clearlyindicates otherwise. As used herein, the language “at least one of A, B,and C” (and the like) should be interpreted as covering only A, only B,only C, or any combination of the three, unless the context clearlyindicates otherwise. It will be further understood that the terms“comprises” and/or “comprising,” when used in this specification,specify the presence of stated features, integers, steps (notnecessarily in a particular order), operations, elements, and/orcomponents, but do not preclude the presence or addition of one or moreother features, integers, steps (not necessarily in a particular order),operations, elements, components, and/or groups thereof.

The corresponding structures, materials, acts, and equivalents (e.g., ofall means or step plus function elements) that may be in the claimsbelow are intended to include any structure, material, or act forperforming the function in combination with other claimed elements asspecifically claimed. The description of the present disclosure has beenpresented for purposes of illustration and description, but is notintended to be exhaustive or limited to the disclosure in the formdisclosed. Many modifications, variations, substitutions, and anycombinations thereof will be apparent to those of ordinary skill in theart without departing from the scope and spirit of the disclosure. Theimplementation(s) were chosen and described in order to explain theprinciples of the disclosure and the practical application, and toenable others of ordinary skill in the art to understand the disclosurefor various implementation(s) with various modifications and/or anycombinations of implementation(s) as are suited to the particular usecontemplated.

Having thus described the disclosure of the present application indetail and by reference to implementation(s) thereof, it will beapparent that modifications, variations, and any combinations ofimplementation(s) (including any modifications, variations,substitutions, and combinations thereof) are possible without departingfrom the scope of the disclosure defined in the appended claims.

What is claimed is:
 1. A computer-implemented method comprising:maintaining, by a computing device, a plurality of certificates in acredential store using a distributed data source; loading a certificateof the plurality of certificates in an in-memory location from thedistributed data source upon startup; detecting a change in at least onecertificate of the plurality of certificates in the distributed datasource; and loading the change in the at least one certificate from thedistributed data source to the in-memory location without requiring arestart of the computing device.
 2. The computer-implemented method ofclaim 1 wherein the change in the at least one certificate is persistedatomically in the distributed data source prior to being loaded to thein-memory location.
 3. The computer-implemented method of claim 1wherein detecting the change in the at least one certificate of theplurality of certificates in the distributed data source includesreceiving an intra-process communication to load the change in the atleast one certificate from the distributed data source to the in-memorylocation.
 4. The computer-implemented method of claim 1 wherein thedistributed data source includes one of a data store for a singlecomputing device, a distributed data store spanning a clustered system,and a file system spanning the clustered system.
 5. Thecomputer-implemented method of claim 1 wherein the change in the atleast one certificate is loaded to a trust store of a web client.
 6. Thecomputer-implemented method of claim 1 wherein the plurality ofcertificates is associated with a plurality of micro-services, whereineach micro-service maintains a separate in-memory certificate store thatis managed independently from other micro-services.
 7. Thecomputer-implemented method of claim 1 wherein the plurality ofcertificates is associated with a plurality of ports, wherein each portmaintains a separate in-memory certificate store that is managedindependently from other ports.
 8. A computer program product residingon a computer readable storage medium having a plurality of instructionsstored thereon which, when executed across one or more processors,causes at least a portion of the one or more processors to performoperations comprising: maintaining, by a computing device, a pluralityof certificates in a credential store using a distributed data source;loading a certificate of the plurality of certificates in an in-memorylocation from the distributed data source upon startup; detecting achange in at least one certificate of the plurality of certificates inthe distributed data source; and loading the change in the at least onecertificate from the distributed data source to the in-memory locationwithout requiring a restart of the computing device.
 9. The computerprogram product of claim 8 wherein the change in the at least onecertificate is persisted atomically in the distributed data source priorto being loaded to the in-memory location.
 10. The computer programproduct of claim 8 wherein detecting the change in the at least onecertificate of the plurality of certificates in the distributed datasource includes receiving an intra-process communication to load thechange in the at least one certificate from the distributed data sourceto the in-memory location.
 11. The computer program product of claim 8wherein the distributed data source includes one of a data store for asingle computing device, a distributed data store spanning a clusteredsystem, and a file system spanning the clustered system.
 12. Thecomputer program product of claim 8 wherein the change in the at leastone certificate is loaded to a trust store of a web client.
 13. Thecomputer program product of claim 8 wherein the plurality ofcertificates is associated with a plurality of micro-services, whereineach micro-service maintains a separate in-memory certificate store thatis managed independently from other micro-services.
 14. The computerprogram product of claim 8 wherein the plurality of certificates isassociated with a plurality of ports, wherein each port maintains aseparate in-memory certificate store that is managed independently fromother ports.
 15. A computing system including one or more processors andone or more memories configured to perform operations comprising:maintaining, by a computing device, a plurality of certificates in acredential store using a distributed data source; loading a certificateof the plurality of certificates in an in-memory location from thedistributed data source upon startup; detecting a change in at least onecertificate of the plurality of certificates in the distributed datasource; and loading the change in the at least one certificate from thedistributed data source to the in-memory location without requiring arestart of the computing device.
 16. The computing system of claim 15wherein the change in the at least one certificate is persistedatomically in the distributed data source prior to being loaded to thein-memory location.
 17. The computing system of claim 15 whereindetecting the change in the at least one certificate of the plurality ofcertificates in the distributed data source includes receiving anintra-process communication to load the change in the at least onecertificate from the distributed data source to the in-memory location.18. The computing system of claim 15 wherein the distributed data sourceincludes one of a data store for a single computing device, adistributed data store spanning a clustered system, and a file systemspanning the clustered system.
 19. The computing system of claim 15wherein at least one of: the plurality of certificates is associatedwith a plurality of micro-services, wherein each micro-service maintainsa separate in-memory certificate store that is managed independentlyfrom other micro-services, and wherein the plurality of certificates isassociated with a plurality of ports, wherein each port maintains aseparate in-memory certificate store that is managed independently fromother ports.
 20. The computing system of claim 15 wherein the change inthe at least one certificate is loaded to a trust store of a web client.